from:http://blog.csdn.net/iiprogram/article/details/4792390
自己写的PE 信息查看工具(C代码),不甚完美,希望可以帮助初学PE 的读者从编程的角度认识PE文件,Good Luck!
下面是源代码:
/*///////////////////////////////////////////////////////////////////////////////
This program will output the values of important members in the PE file
Good Luck!
///////////////////////////////////////////////////////////////////////////////*/
/*///////////////////////////////////////////////////////////////////////////////
USAGE: peinfo.exe DestinationFileName
///////////////////////////////////////////////////////////////////////////////*/
#include<windows.h>
#include<stdio.h>
#include<shlwapi.h>
/*////////////////////////////////////////////////////////////////////////////
This function is used for outputting the error information
Please use GetLastError() to retrieve the dwErrorCode,Gook Luck!*/
void OutputErrorInfo(DWORD dwErrorCode)
{
TCHAR FormattedErrorInfo[MAX_PATH];
RtlZeroMemory(FormattedErrorInfo,MAX_PATH);//Initialization
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM,
0,
dwErrorCode,
MAKELANGID(LANG_ENGLISH,SUBLANG_ENGLISH_US),//English
// 0, //The default language of the current system
FormattedErrorInfo,MAX_PATH,NULL);
// printf("/nCopyFile()'s ErrorInformation:%s/n",FormattedErrorInfo);
MessageBox(NULL,FormattedErrorInfo,"Error",MB_OK|MB_ICONINFORMATION);
}
/*//////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////*/
//Notice the file pointer all the time,this is very important.
void main(int argc,char *argv[])
{
HANDLE hDestinationFile=NULL;
//////////////////////////////////////////////////////////////////////
DWORD i=0;
DWORD j=0;
DWORD k=0;
DWORD NumberOfBytesRead=0; //Number of bytes read
WORD MZSignature=0; // MZ signature
DWORD ImageNtSignature=0; //PE signature
DWORD OffsetOfNewHeader=0;
DWORD NumberOfSections=0;
DWORD SizeOfOptionalHeader=0;
DWORD SizeOfSectionTable=0; //size of section table
HANDLE hGlobalAllocatedMemory=NULL; //use GlobalAlloc();
HANDLE hGlobalAllocatedMemoryOfDataDirectory=NULL;
PIMAGE_SECTION_HEADER pImageSectionHeader=NULL; //a pointer to IMAGE_SECTION_TABLE
PIMAGE_DATA_DIRECTORY pImageDataDirectory; //a pointer to IMAGE_DATA_DIRECTORY
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
IMAGE_DOS_HEADER ImageDosHeader;
IMAGE_NT_HEADERS ImageNTHeaders;
IMAGE_FILE_HEADER ImageFileHeader;
IMAGE_OPTIONAL_HEADER ImageOptionalHeader;
IMAGE_SECTION_HEADER ImageSectionHeader;
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
IMAGE_EXPORT_DIRECTORY ImageExportDirectory; //Export and Import
IMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor;
PIMAGE_EXPORT_DIRECTORY pImageExportDirectory=NULL;
PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor=NULL;
DWORD *pExportAddressTableEntry=NULL; //pointer
DWORD *pExportNamePointerTableEntry=NULL;
WORD *pExportOrdinalTableEntry=NULL;
DWORD SizeOfRawData=0;
DWORD PointerToRawData=0;
DWORD VirtualAddress=0;
DWORD CountOfImportDirectoryEntries=0;
DWORD RvaOfExportDirectoryTable=0;
DWORD RvaOfImportDirectoryTable=0;
DWORD DestinationSectionPosition=0; //Destination Section Position
DWORD FilePointerToIMAGE_EXPORT_DERECTORY=0; //file pointer
DWORD FilePointerToImportDirectoryTable=0;
DWORD FilePointerOfExportedDllName=0;
TCHAR ExportedDllName[MAX_PATH];
TCHAR ImportedDllName[MAX_PATH]; //Imported Dll Name
DWORD FilePointerOfExportAddressTable=0; //file pointer
DWORD FilePointerOfExportOrdinalTable=0;
DWORD FilePointerOfExportNamePointerTable=0;
HANDLE hGlobalMemoryForExportAddressTable=NULL; //Global memory allocated
HANDLE hGlobalMemoryForExportOrdinalTable=NULL;
HANDLE hGlobalMemoryForExportNamePointerTable=NULL;
HANDLE hGlobalMemoryForImportDirectoryTable=NULL;
HANDLE hGlobalMemoryForImportDirectoryTable2=NULL;
HANDLE hGlobalMemoryForCount=NULL;
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
RtlZeroMemory(&ImageDosHeader,sizeof(IMAGE_DOS_HEADER));
RtlZeroMemory(&ImageNTHeaders,sizeof(IMAGE_NT_HEADERS));
RtlZeroMemory(&ImageFileHeader,sizeof(IMAGE_FILE_HEADER));
RtlZeroMemory(&ImageOptionalHeader,sizeof(IMAGE_OPTIONAL_HEADER));
RtlZeroMemory(&ImageSectionHeader,sizeof(IMAGE_SECTION_HEADER));
RtlZeroMemory(&ImageExportDirectory,sizeof(IMAGE_EXPORT_DIRECTORY)); //Export and Import
RtlZeroMemory(&ImageImportDescriptor,sizeof(IMAGE_IMPORT_DESCRIPTOR));
if(argc!=2)
{
printf("Error./nUSAGE:peinfo.exe DestinationFileName/n");
return;
}
hDestinationFile=CreateFile(argv[1],
FILE_WRITE_DATA|FILE_READ_DATA,
FILE_SHARE_WRITE,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,NULL);
OutputErrorInfo(GetLastError());
// OpenFile(DestinationPEFile,NULL,NULL);
if(hDestinationFile==INVALID_HANDLE_VALUE)
{
printf("/nCreateFile() fails!Can't open file. Please try again!/n");
return;
}
if(!ReadFile(hDestinationFile,&MZSignature,2,&NumberOfBytesRead,NULL))
{
printf("/nReadFile() fails! Please try again./n");
return;
}
if(NumberOfBytesRead!=2)
{
printf("/nReadFile() fails! Can't get the MZSignature./n");
return;
}
if(MZSignature!=0x5A4D)
{
printf("/nThis file is not a valid PE file./n");
printf("/nThe value of MZSignature is:%#x/n",MZSignature);
return;
}
SetFilePointer(hDestinationFile,0,NULL,FILE_BEGIN); //Revert the file pointer,this is very important.
ReadFile(hDestinationFile,&ImageDosHeader,
sizeof(IMAGE_DOS_HEADER),&NumberOfBytesRead,NULL);
if(NumberOfBytesRead!=sizeof(IMAGE_DOS_HEADER))
{
printf("/nReadFile() fails! Can't get IMAGE_DOS_HEADER./n");
return;
}
else
{
printf("/nGet IMAGE_DOS_HEADER successfully!/n");
}
////////////////////////////////////Output the information in the IMAGE_DOS_HEADER
printf("ImageDosHeader.e_magic: %#x/n",ImageDosHeader.e_magic);
printf("ImageDosHeader.e_crlc: %#x/n",ImageDosHeader.e_crlc); //Relocations
printf("ImageDosHeader.e_ss: %#x/n",ImageDosHeader.e_ss);
printf("ImageDosHeader.e_sp: %#x/n",ImageDosHeader.e_sp);
printf("ImageDosHeader.e_csum: %#x/n",ImageDosHeader.e_csum); //check sum
printf("ImageDosHeader.e_ip: %#x/n",ImageDosHeader.e_ip);
printf("ImageDosHeader.e_cs: %#x/n",ImageDosHeader.e_cs);
printf("ImageDosHeader.e_lfarlc: %#x/n",ImageDosHeader.e_lfarlc); //File address of relocation table
printf("ImageDosHeader.e_oemid: %#x/n",ImageDosHeader.e_oemid);
printf("ImageDosHeader.e_oeminfo: %#x/n",ImageDosHeader.e_oeminfo);
printf("ImageDosHeader.e_lfanew: %#x/n",ImageDosHeader.e_lfanew); //file address of new exe header
// printf("ImageDosHeader.e_crlc%#x/n",ImageDosHeader.e_sp);
//......
if(ImageDosHeader.e_magic!=MZSignature) //MZ header
{
printf("/nValue of ImageDosHeader.e_magic is:");
printf("%#x,%#d/n",ImageDosHeader.e_magic,ImageDosHeader.e_magic);
}
OffsetOfNewHeader=ImageDosHeader.e_lfanew; //File address of new exe header
SetFilePointer(hDestinationFile,(LONG)OffsetOfNewHeader,NULL,FILE_BEGIN);
// OutputErrorInfo(GetLastError());
ReadFile(hDestinationFile,&ImageNTHeaders,
sizeof(IMAGE_NT_HEADERS),&NumberOfBytesRead,NULL); //Retrieve IMAGE_NT_HEADERS
if(NumberOfBytesRead!=sizeof(IMAGE_NT_HEADERS))
{
printf("/nReadFile() fails! Cant' get IMAGE_NT_HEADER./n");
return;
}
else
{
printf("/nGet IMAGE_NT_HEADERS successfully!/n");
}
//Output the information in IMAGE_NT_HEADER
printf("ImageNTHeaders.Signature: %#x/n",ImageNTHeaders.Signature);
SetFilePointer(hDestinationFile,OffsetOfNewHeader+4,NULL,FILE_BEGIN); //Set the file pointer to point to IMAGE_FILE_HEADER
ReadFile(hDestinationFile,&ImageFileHeader,
sizeof(IMAGE_FILE_HEADER),&NumberOfBytesRead,NULL); //Retrieve IMAGE_FILE_HEADER
if(NumberOfBytesRead!=sizeof(IMAGE_FILE_HEADER))
{
printf("/nReadFile() fails! Can't get IMAGE_FILE_HEADER./n");
return;
}
else
{
printf("/nGet IMAGE_FILE_HEADER successfully!/n");
}
//Output the information in IMAGE_FILE_HEADER
printf("ImageFileHeader.Machine: %#x/n",ImageFileHeader.Machine);
printf("ImageFileHeader.NumberOfSections: %#x/n",ImageFileHeader.NumberOfSections);
printf("ImageFileHeader.TimeDateStamp: %#x/n",ImageFileHeader.TimeDateStamp);
printf("ImageFileHeader.SizeOfOptionalHeader: %#x/n",ImageFileHeader.SizeOfOptionalHeader);
printf("ImageFileHeader.Characteristics: %#x/n",ImageFileHeader.Characteristics);
ReadFile(hDestinationFile,&ImageOptionalHeader,
sizeof(IMAGE_OPTIONAL_HEADER),&NumberOfBytesRead,NULL); //Retrieve IMAGE_OPTIONAL_HEADER
if(NumberOfBytesRead!=sizeof(IMAGE_OPTIONAL_HEADER))
{
printf("/nReadFile() fails! Can't get IMAGE_OPTIONAL_HEADER./n");
return;
}
else
{
printf("/nGet IMAGE_OPTIONAL_HEADER successfully!/n");
}
//Output the information in the IMAGE_OPTIONAL_HEADER
//
//Standard fields.
//
printf("--------------------------------------------->>>Standard fields/n");
printf("ImageOptionalHeader.Magic: %#x/n",ImageOptionalHeader.Magic); //Standard fields
printf("ImageOptionalHeader.MajorLinkerVersion: %#x/n",ImageOptionalHeader.MajorLinkerVersion);
printf("ImageOptionalHeader.MinorLinkerVersion: %#x/n",ImageOptionalHeader.MinorLinkerVersion);
printf("ImageOptionalHeader.SizeOfCode: %#x/n",ImageOptionalHeader.SizeOfCode);
printf("ImageOptionalHeader.SizeOfInitializedData: %#x/n",ImageOptionalHeader.SizeOfInitializedData);
printf("ImageOptionalHeader.SizeOfUninitializedData: %#x/n",ImageOptionalHeader.SizeOfUninitializedData);
printf("ImageOptionalHeader.AddressOfEntryPoint: %#x/n",ImageOptionalHeader.AddressOfEntryPoint);
printf("ImageOptionalHeader.BaseOfCode: %#x/n",ImageOptionalHeader.BaseOfCode);
printf("ImageOptionalHeader.BaseOfData: %#x/n",ImageOptionalHeader.BaseOfData);
//
////NT additional fields
//
printf("---------------------------------------------->>>NT additional fields/n");
printf("ImageOptionalHeader.ImageBase: %#x/n",ImageOptionalHeader.ImageBase);
printf("ImageOptionalHeader.SectionAlignment: %#x/n",ImageOptionalHeader.SectionAlignment);
printf("ImageOptionalHeader.FileAlignment: %#x/n",ImageOptionalHeader.FileAlignment);
printf("ImageOptionalHeader.MajorOperatingSystemVersion: %#x/n",ImageOptionalHeader.MajorOperatingSystemVersion);
printf("ImageOptionalHeader.MinorOperatingSystemVersion: %#x/n",ImageOptionalHeader.MinorOperatingSystemVersion);
printf("ImageOptionalHeader.MajorImageVersion: %#x/n",ImageOptionalHeader.MajorImageVersion);
printf("ImageOptionalHeader.MinorImageVersion: %#x/n",ImageOptionalHeader.MinorImageVersion);
printf("ImageOptionalHeader.MajorSubsystemVersion: %#x/n",ImageOptionalHeader.MajorSubsystemVersion);
printf("ImageOptionalHeader.MinorSubsystemVersion: %#x/n",ImageOptionalHeader.MinorSubsystemVersion);
printf("ImageOptionalHeader.Win32VersionValue: %#x/n",ImageOptionalHeader.Win32VersionValue);
printf("ImageOptionalHeader.SizeOfImage: %#x/n",ImageOptionalHeader.SizeOfImage);
printf("ImageOptionalHeader.SizeOfHeaders: %#x/n",ImageOptionalHeader.SizeOfHeaders);
printf("ImageOptionalHeader.CheckSum: %#x/n",ImageOptionalHeader.CheckSum);
printf("ImageOptionalHeader.Subsystem: %#x/n",ImageOptionalHeader.Subsystem);
printf("ImageOptionalHeader.DllCharacteristics: %#x/n",ImageOptionalHeader.DllCharacteristics);
printf("ImageOptionalHeader.SizeOfStackReserve: %#x/n",ImageOptionalHeader.SizeOfStackReserve);
printf("ImageOptionalHeader.SizeOfStackCommit: %#x/n",ImageOptionalHeader.SizeOfStackCommit);
printf("ImageOptionalHeader.SizeOfHeapReserve: %#x/n",ImageOptionalHeader.SizeOfHeapReserve);
printf("ImageOptionalHeader.SizeOfHeapCommit: %#x/n",ImageOptionalHeader.SizeOfHeapCommit);
printf("ImageOptionalHeader.LoaderFlags: %#x/n",ImageOptionalHeader.LoaderFlags);
printf("ImageOptionalHeader.NumberOfRvaAndSizes: %#x/n",ImageOptionalHeader.NumberOfRvaAndSizes);
//Add the information in IMAGE_DATA_DIRECTORY to complete it.
printf("-------------------------------------------------------------------/n");
printf("Information in IMAGE_DATA_DIRECTORY/n");
hGlobalAllocatedMemoryOfDataDirectory=GlobalAlloc(GPTR,
sizeof(IMAGE_DATA_DIRECTORY)*ImageOptionalHeader.NumberOfRvaAndSizes); //Allocate memory and initialize with zero
pImageDataDirectory=(PIMAGE_DATA_DIRECTORY)hGlobalAllocatedMemoryOfDataDirectory;
RtlCopyMemory(pImageDataDirectory,ImageOptionalHeader.DataDirectory, //Get IMAGE_DATA_DIRECTORY
sizeof(IMAGE_DATA_DIRECTORY)*ImageOptionalHeader.NumberOfRvaAndSizes);
for(i=0;i<ImageOptionalHeader.NumberOfRvaAndSizes;i++)
{
printf("-------------------------------------/n");
switch(i)
{
case 0:
printf("Export Table:/n");
break;
case 1:
printf("Import Table:/n");
break;
case 2:
printf("Resource Table:/n");
break;
case 3:
printf("Exception Table:/n");
break;
case 4:
printf("Certificate Table:/n");
break;
case 5:
printf("Base Relocation Table:/n");
break;
case 6:
printf("Debug:/n");
break;
case 7:
printf("Architecture:/n");
break;
case 8:
printf("Global Ptr:/n");
break;
case 9:
printf("TLS Table:/n");
break;
case 10:
printf("Load Config Table:/n");
break;
case 11:
printf("Bound Import:/n");
break;
case 12:
printf("IAT:/n");
break;
case 13:
printf("Delay Import Descriptor:/n");
break;
case 14:
printf("CLR Runtime Header:/n");
break;
case 15:
printf("Reserved, must be zero:/n");
break;
}
printf("VirtualAddress: %#x/n",(pImageDataDirectory+i)->VirtualAddress);
printf("Size: %#x/n",(pImageDataDirectory+i)->Size);
// printf("-------------------------------------/n");
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
NumberOfSections=ImageFileHeader.NumberOfSections; //Number of sections
SizeOfOptionalHeader=ImageFileHeader.SizeOfOptionalHeader; //size of optional header
if(SizeOfOptionalHeader!=sizeof(IMAGE_OPTIONAL_HEADER))
{
printf("/nThere is an error./nThe value of ImageFileHeader.SizeOfOptionalHeader is incorrect!/n");
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
SizeOfSectionTable=sizeof(IMAGE_SECTION_HEADER)*NumberOfSections; //Get the size of Section Table
hGlobalAllocatedMemory=GlobalAlloc(GPTR,SizeOfSectionTable); //Allocate memory and initialize with zero
if(hGlobalAllocatedMemory==NULL)
{
printf("/nGlobalAlloc() failed! Please try again./n"); //if failed,return
return;
}
// RtlZeroMemory(hGlobalAllocatedMemory,SizeOfSectionTable); //Initialize with zero,this operation has been completed!
pImageSectionHeader=(PIMAGE_SECTION_HEADER)hGlobalAllocatedMemory; //Convert a handle to a pointer to IMAGE_SECTION_HEADER
for(i=0;i<NumberOfSections;i++) //Retrieve the Section Table
{
ReadFile(hDestinationFile,pImageSectionHeader+i,
sizeof(IMAGE_SECTION_HEADER),&NumberOfBytesRead,NULL);
if(NumberOfBytesRead!=sizeof(IMAGE_SECTION_HEADER))
{
printf("Error.Can't get IMAGE_SECTION_HEADER./n");
}
}
printf("------------------------------------------------------/n");
printf("------------------------------------------------------/n");
printf("/nGet IMAGE_SECTION_HEADER successfully!/n");
/*
//The following code fragment has the identical effect to the above for()
ReadFile(hDestinationFile,pImageSectionHeader,
SizeOfSectionTable,NULL,NULL); //Retrieve the Section Table
*/
for(i=0;i<NumberOfSections;i++)
{
printf("/nThe name of the section%d: ",i);
printf("%s/n",(*(pImageSectionHeader+i)).Name);
printf("Misc:%#x/n",(*(pImageSectionHeader+i)).Misc);
printf("VirtualAddress: %#x/n",(*(pImageSectionHeader+i)).VirtualAddress);
printf("SizeOfRawData: %#x/n",(*(pImageSectionHeader+i)).SizeOfRawData);
printf("PointerToRawData: %#x/n",(*(pImageSectionHeader+i)).PointerToRawData);
printf("PointerToRelocations: %#x/n",(*(pImageSectionHeader+i)).PointerToRelocations);
printf("PointerToLinenumbers: %#x/n",(*(pImageSectionHeader+i)).PointerToLinenumbers);
printf("NumberOfRelocations: %#x/n",(*(pImageSectionHeader+i)).NumberOfRelocations);
printf("NumberOfLinenumbers: %#x/n",(*(pImageSectionHeader+i)).NumberOfLinenumbers);
printf("Characteristics: %#x/n",(*(pImageSectionHeader+i)).Characteristics);
printf("------------------------------------------------------");
}
//Output information of .idata section
for(i=0;i<NumberOfSections;i++)
{
if(StrCmp((*(pImageSectionHeader+i)).Name,".idata")==0)
{
SizeOfRawData=(*(pImageSectionHeader+i)).SizeOfRawData;
PointerToRawData=(*(pImageSectionHeader+i)).PointerToRawData;
VirtualAddress=(*(pImageSectionHeader+i)).VirtualAddress;
SetFilePointer(hDestinationFile,PointerToRawData,NULL,FILE_BEGIN);
hGlobalMemoryForCount=GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_DESCRIPTOR)); //Allocate memory and initialize with zero
do
{
ReadFile(hDestinationFile,hGlobalMemoryForCount,sizeof(IMAGE_IMPORT_DESCRIPTOR),&NumberOfBytesRead,NULL);
if(*((DWORD*)hGlobalMemoryForCount)==0 && *((DWORD*)hGlobalMemoryForCount+1)==0)
{
break;
}
else
CountOfImportDirectoryEntries++;
} while (1);
GlobalFree(hGlobalMemoryForCount); //Free the allocated memory
if(CountOfImportDirectoryEntries==0)
{
printf("/nThe count of Import Directory Entries is 0/n");//*******************************************/
return;
}
hGlobalMemoryForImportDirectoryTable=GlobalAlloc(GPTR,
sizeof(IMAGE_IMPORT_DESCRIPTOR)*CountOfImportDirectoryEntries);
pImageImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)hGlobalMemoryForImportDirectoryTable;
SetFilePointer(hDestinationFile,PointerToRawData,NULL,FILE_BEGIN);
ReadFile(hDestinationFile,hGlobalMemoryForImportDirectoryTable,
sizeof(IMAGE_IMPORT_DESCRIPTOR)*CountOfImportDirectoryEntries,
&NumberOfBytesRead,NULL); //Get ImportDirectoryTable
if(NumberOfBytesRead==sizeof(IMAGE_IMPORT_DESCRIPTOR)*CountOfImportDirectoryEntries)
{
printf("/n/nGet Import Directory Table successfully!/n");
}
else
{
printf("/nCan't get Import Directory Table./n");
return;
}
printf("/n");
for(j=0;j<CountOfImportDirectoryEntries;j++)
{
DWORD temp=0;
DWORD CountOfImportLookupTableEntries=0;
DWORD *PointToLookupTableEntries=NULL;
HANDLE GlobalMemoryForImportLookupTableEntries=NULL;
TCHAR DllName[MAX_PATH];
//Output Import Directory Table entries
printf("IMAGE_IMPORT_DESCRIPTOR.Characteristics: %#x/n",(*(pImageImportDescriptor+j)).Characteristics);
printf("IMAGE_IMPORT_DESCRIPTOR.FirstThunk: %#x/n",(*(pImageImportDescriptor+j)).FirstThunk);
printf("IMAGE_IMPORT_DESCRIPTOR.ForwarderChain: %#x/n",(*(pImageImportDescriptor+j)).ForwarderChain);
printf("IMAGE_IMPORT_DESCRIPTOR.Name: %#x/n",(*(pImageImportDescriptor+j)).Name);
printf("IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk: %#x/n",(*(pImageImportDescriptor+j)).OriginalFirstThunk);
printf("IMAGE_IMPORT_DESCRIPTOR.TimeDateStamp: %#x/n",(*(pImageImportDescriptor+j)).TimeDateStamp);
//Output the corresponding dll name
temp=(*(pImageImportDescriptor+j)).Name-VirtualAddress+PointerToRawData;
SetFilePointer(hDestinationFile,temp,NULL,FILE_BEGIN);
ReadFile(hDestinationFile,DllName,MAX_PATH,&NumberOfBytesRead,NULL);
printf("/n%s/n",DllName);
///////////////////////////////////////////////////////////////////////////////////////////
temp=(*(pImageImportDescriptor+j)).Characteristics-VirtualAddress+PointerToRawData; //Get file pointer
SetFilePointer(hDestinationFile,temp,NULL,FILE_BEGIN);
do
{
ReadFile(hDestinationFile,&temp,4,&NumberOfBytesRead,NULL);
if(temp==0)
{
break;
}
else
CountOfImportLookupTableEntries++;
} while (1);
GlobalMemoryForImportLookupTableEntries=GlobalAlloc(GPTR,CountOfImportLookupTableEntries*4);
temp=(*(pImageImportDescriptor+j)).Characteristics-VirtualAddress+PointerToRawData; //Get file pointer
SetFilePointer(hDestinationFile,temp,NULL,FILE_BEGIN);
ReadFile(hDestinationFile,GlobalMemoryForImportLookupTableEntries,
CountOfImportLookupTableEntries*4,&NumberOfBytesRead,NULL); //Retrieve Import Lookup Table
PointToLookupTableEntries=(DWORD*)GlobalMemoryForImportLookupTableEntries;
printf("/n/n");
printf("Rva||Ordinal--Hint----ImportedFunctionName/n");/////88888
for(k=0;k<CountOfImportLookupTableEntries;k++)
{
WORD Ordinal=0;
TCHAR FunctionName[MAX_PATH];
printf("%-4d%#-8x",k,*(PointToLookupTableEntries+k)); //Output Import Lookup Table entries
temp=*(PointToLookupTableEntries+k)-VirtualAddress+PointerToRawData;
SetFilePointer(hDestinationFile,temp,NULL,FILE_BEGIN);
ReadFile(hDestinationFile,&Ordinal,2,&NumberOfBytesRead,NULL); //Get the ordinal in hint/name table
printf(" %#-8x ",Ordinal);
ReadFile(hDestinationFile,FunctionName,MAX_PATH,&NumberOfBytesRead,NULL);
printf("%s/n",FunctionName);
}
printf("-------------------------------------------------------/n");
}
} //if end
}
//Output the information in the .edata section
if((*(pImageDataDirectory+0)).VirtualAddress!=0 && (*(pImageDataDirectory+0)).Size!=0)
{
RvaOfExportDirectoryTable=(*(pImageDataDirectory+0)).VirtualAddress; //Get the RVA of ExportDirectoryTable*****
printf("/nThis file has Export Directory Table./n");
}
else
{
printf("/nThis file has no Export Directory Table./n");
goto next;
}
for(i=0;i<NumberOfSections;i++)
{
if(RvaOfExportDirectoryTable>=(pImageSectionHeader+i)->VirtualAddress)
{
if( RvaOfExportDirectoryTable<=(pImageSectionHeader+i)->VirtualAddress+(pImageSectionHeader+i)->SizeOfRawData)
{
DestinationSectionPosition=i;
break;
}
}
}
FilePointerToIMAGE_EXPORT_DERECTORY= (*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
RvaOfExportDirectoryTable-
(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress; //Notice the priority
SetFilePointer(hDestinationFile,FilePointerToIMAGE_EXPORT_DERECTORY,NULL,FILE_BEGIN);
ReadFile(hDestinationFile,&ImageExportDirectory,sizeof(IMAGE_EXPORT_DIRECTORY),
&NumberOfBytesRead,NULL);
if(NumberOfBytesRead==sizeof(IMAGE_EXPORT_DIRECTORY))
{
printf("/nGet IMAGE_EXPORT_DIRECTORY successfully!/n");
}
else
{
printf("/nCan't get IMAGE_EXPORT_DIRECTORY./n");
return;
}
printf("ImageExportDirectory.Characteristics: %#x/n",ImageExportDirectory.Characteristics);
printf("ImageExportDirectory.TimeDateStamp: %#x/n",ImageExportDirectory.TimeDateStamp);
printf("ImageExportDirectory.MajorVersion: %#x/n",ImageExportDirectory.MajorVersion);
printf("ImageExportDirectory.MinorVersion: %#x/n",ImageExportDirectory.MinorVersion);
printf("ImageExportDirectory.Name: %#x/n",ImageExportDirectory.Name);
printf("ImageExportDirectory.Base: %#x/n",ImageExportDirectory.Base);
printf("ImageExportDirectory.NumberOfFunctions: %#x/n",ImageExportDirectory.NumberOfFunctions);
printf("ImageExportDirectory.NumberOfNames: %#x/n",ImageExportDirectory.NumberOfNames);
printf("ImageExportDirectory.AddressOfFunctions: %#x/n",ImageExportDirectory.AddressOfFunctions);
printf("ImageExportDirectory.AddressOfNames: %#x/n",ImageExportDirectory.AddressOfNames);
printf("ImageExportDirectory.AddressOfNameOrdinals: %#x/n",ImageExportDirectory.AddressOfNameOrdinals);
FilePointerOfExportedDllName=(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
ImageExportDirectory.Name-
(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;
SetFilePointer(hDestinationFile,FilePointerOfExportedDllName,NULL,FILE_BEGIN);
ReadFile(hDestinationFile,ExportedDllName,MAX_PATH,
&NumberOfBytesRead,NULL);
printf("/n%s/n",ExportedDllName);
//Get the corresponding file pointer
FilePointerOfExportAddressTable=(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
ImageExportDirectory.AddressOfFunctions-(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;
FilePointerOfExportNamePointerTable=(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
ImageExportDirectory.AddressOfNames-(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;
FilePointerOfExportOrdinalTable=(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
ImageExportDirectory.AddressOfNameOrdinals-(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;
//Allocate memory
hGlobalMemoryForExportAddressTable=GlobalAlloc(GPTR,ImageExportDirectory.NumberOfFunctions*4);
hGlobalMemoryForExportNamePointerTable=GlobalAlloc(GPTR,ImageExportDirectory.NumberOfNames*4);
hGlobalMemoryForExportOrdinalTable=GlobalAlloc(GPTR,ImageExportDirectory.NumberOfNames*2);
//Set file pointer and read data from file
SetFilePointer(hDestinationFile,FilePointerOfExportAddressTable,NULL,FILE_BEGIN);
ReadFile(hDestinationFile,hGlobalMemoryForExportAddressTable,ImageExportDirectory.NumberOfFunctions*4,
&NumberOfBytesRead,NULL);
SetFilePointer(hDestinationFile,FilePointerOfExportNamePointerTable,NULL,FILE_BEGIN);
ReadFile(hDestinationFile,hGlobalMemoryForExportNamePointerTable,ImageExportDirectory.NumberOfNames*4,
&NumberOfBytesRead,NULL);
SetFilePointer(hDestinationFile,FilePointerOfExportOrdinalTable,NULL,FILE_BEGIN);
ReadFile(hDestinationFile,hGlobalMemoryForExportOrdinalTable,ImageExportDirectory.NumberOfNames*2,
&NumberOfBytesRead,NULL);
pExportAddressTableEntry=(DWORD*)hGlobalMemoryForExportAddressTable;
pExportNamePointerTableEntry=(DWORD*)hGlobalMemoryForExportNamePointerTable;
pExportOrdinalTableEntry=(WORD*)hGlobalMemoryForExportOrdinalTable;
printf("/nOrdinal-Index--RVA----------------FunctionName/n");
for(i=0;i<ImageExportDirectory.NumberOfFunctions;i++)
{
TCHAR ExportedFunctionName[MAX_PATH];
DWORD FilePointerOfExportedFunctionName=0;
printf("%#-7x ",*(pExportOrdinalTableEntry+i)+ImageExportDirectory.Base);
printf("%#-6x ",*(pExportOrdinalTableEntry+i));
printf("%#-8x ",*(pExportAddressTableEntry+i));
printf("%#-6x ",*(pExportNamePointerTableEntry+i));
printf("-->");
FilePointerOfExportedFunctionName=*(pExportNamePointerTableEntry+i)-
(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress+
(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData;
SetFilePointer(hDestinationFile,FilePointerOfExportedFunctionName,NULL,FILE_BEGIN);
ReadFile(hDestinationFile,ExportedFunctionName,MAX_PATH,
&NumberOfBytesRead,NULL);
printf(" %s",ExportedFunctionName);
printf("/n");
}
//Close handle to free allocated memory
CloseHandle(hGlobalMemoryForExportAddressTable);
CloseHandle(hGlobalMemoryForExportNamePointerTable);
CloseHandle(hGlobalMemoryForExportOrdinalTable);
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//Output the information in .idata section
next:
if((*(pImageDataDirectory+1)).VirtualAddress!=0 && (*(pImageDataDirectory+1)).Size!=0)
{
RvaOfImportDirectoryTable=(*(pImageDataDirectory+1)).VirtualAddress; //Get the RVA of ImportDirectoryTable*****
printf("/nThis file has Import Directory Table./n");
}
else
{
printf("/nThis file has no Import Directory Table./n");
goto over;
}
for(i=0;i<NumberOfSections;i++) //Search the destination section
{
if(RvaOfImportDirectoryTable>=(pImageSectionHeader+i)->VirtualAddress)
{
if( RvaOfImportDirectoryTable<=(pImageSectionHeader+i)->VirtualAddress+(pImageSectionHeader+i)->SizeOfRawData)
{
DestinationSectionPosition=i;
break;
}
}
}
//Get the file pointer of Import Directory Table
SizeOfRawData=(*(pImageSectionHeader+DestinationSectionPosition)).SizeOfRawData;
PointerToRawData=(*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData;
VirtualAddress=(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress;
FilePointerToImportDirectoryTable= (*(pImageSectionHeader+DestinationSectionPosition)).PointerToRawData+
RvaOfImportDirectoryTable-
(*(pImageSectionHeader+DestinationSectionPosition)).VirtualAddress; //Notice the operator's priority
SetFilePointer(hDestinationFile,FilePointerToImportDirectoryTable,NULL,FILE_BEGIN); //Set the file pointer
CountOfImportDirectoryEntries=0; //Initialize with zero
hGlobalMemoryForCount=GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_DESCRIPTOR));
do
{
ReadFile(hDestinationFile,hGlobalMemoryForCount,sizeof(IMAGE_IMPORT_DESCRIPTOR),&NumberOfBytesRead,NULL);
if(*((DWORD*)hGlobalMemoryForCount)==0 && *((DWORD*)hGlobalMemoryForCount+1)==0) //Why ?Unhandled Exception
{
break;
}
else
CountOfImportDirectoryEntries++;
} while (1);
if(CountOfImportDirectoryEntries==0)
{
printf("/nThe count of Import Directory Entries is 0/n");//Output error information
return;
}
else
{
printf("/nCount of ImportDirectoryEntries is:%d/n",CountOfImportDirectoryEntries);
}
hGlobalMemoryForImportDirectoryTable2=GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_DESCRIPTOR)*
CountOfImportDirectoryEntries);
pImageImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)hGlobalMemoryForImportDirectoryTable2;
SetFilePointer(hDestinationFile,FilePointerToImportDirectoryTable,NULL,FILE_BEGIN); //Set the file pointer
/*Notice : To set the file pointer before calling ReadFile() is very important.*/
ReadFile(hDestinationFile,hGlobalMemoryForImportDirectoryTable2,
sizeof(IMAGE_IMPORT_DESCRIPTOR)*CountOfImportDirectoryEntries,
&NumberOfBytesRead,NULL); //Get ImportDirectoryTable
if(NumberOfBytesRead==sizeof(IMAGE_IMPORT_DESCRIPTOR)*CountOfImportDirectoryEntries)
{
printf("Get Import Directory Table successfully!/n/n");
}
else
{
printf("/nCan't get Import Directory Table./n");
return;
}
for(i=0;i<CountOfImportDirectoryEntries;i++)
{
DWORD FilePointerOfImportedDllName=0;
DWORD FilePointerOfImportLookupTable=0;
WORD temp=0;
DWORD CountOfImportLookupTableEntries=0;
DWORD *PointerToImportLookupTableEntry=NULL; //pointer to Import Lookup Table entry
HANDLE hGlobalMemoryForImportLookupTable=NULL;
//Output Import Directory Table entries
printf("IMAGE_IMPORT_DESCRIPTOR.Characteristics: %#x(union)/n",(*(pImageImportDescriptor+i)).Characteristics);
printf("IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk: %#x(union)/n",(*(pImageImportDescriptor+i)).OriginalFirstThunk);
printf("IMAGE_IMPORT_DESCRIPTOR.TimeDateStamp: %#x/n",(*(pImageImportDescriptor+i)).TimeDateStamp);
printf("IMAGE_IMPORT_DESCRIPTOR.ForwarderChain: %#x/n",(*(pImageImportDescriptor+i)).ForwarderChain);
printf("IMAGE_IMPORT_DESCRIPTOR.Name: %#x/n",(*(pImageImportDescriptor+i)).Name);
printf("IMAGE_IMPORT_DESCRIPTOR.FirstThunk: %#x/n",(*(pImageImportDescriptor+i)).FirstThunk);
FilePointerOfImportedDllName=(*(pImageImportDescriptor+i)).Name-VirtualAddress+PointerToRawData;
SetFilePointer(hDestinationFile,FilePointerOfImportedDllName,NULL,FILE_BEGIN);
RtlZeroMemory(ImportedDllName,MAX_PATH);
ReadFile(hDestinationFile,ImportedDllName,MAX_PATH,&NumberOfBytesRead,NULL);
printf("/n%s/n",ImportedDllName); //output dll name
FilePointerOfImportLookupTable=(*(pImageImportDescriptor+i)).Characteristics-VirtualAddress+PointerToRawData;//file pointer
SetFilePointer(hDestinationFile,FilePointerOfImportLookupTable,NULL,FILE_BEGIN); //Set file pointer
do
{
ReadFile(hDestinationFile,&temp,4,&NumberOfBytesRead,NULL);
if(temp==0)
{
break;
}
else
CountOfImportLookupTableEntries++;
} while (1);
if(CountOfImportLookupTableEntries==0)
{
printf("Error.Count of ImportLookupTableEntries is 0./n");
return;
}
SetFilePointer(hDestinationFile,FilePointerOfImportLookupTable,NULL,FILE_BEGIN); //Set file pointer
hGlobalMemoryForImportLookupTable=GlobalAlloc(GPTR,CountOfImportLookupTableEntries*4);
ReadFile(hDestinationFile,hGlobalMemoryForImportLookupTable,CountOfImportLookupTableEntries*4,
&NumberOfBytesRead,NULL);
if(NumberOfBytesRead!=CountOfImportLookupTableEntries*4)
{
printf("/nError.Can't get ImportLookupTable./n");
return;
}
PointerToImportLookupTableEntry=(DWORD*)hGlobalMemoryForImportLookupTable;
printf("/nInformation in ImportLookupTable./n/n");
printf("Rva||Ordinal--Hint----ImportedFunctionName/n");
for(j=0;j<CountOfImportLookupTableEntries;j++)
{
DWORD Bitwise=0;
WORD Hint=0;
DWORD FilePoinerOfNameTable=0;
TCHAR ImportedFunctionName[MAX_PATH];
printf("%-4d %#-8x ",j,*(PointerToImportLookupTableEntry+j));
Bitwise=*(PointerToImportLookupTableEntry+j);
Bitwise=Bitwise & 0x80000000;
if(Bitwise!=0)
{
}
else
{
}
FilePoinerOfNameTable=*(PointerToImportLookupTableEntry+j)-VirtualAddress+PointerToRawData;
SetFilePointer(hDestinationFile,FilePoinerOfNameTable,NULL,FILE_BEGIN); //Set file pointer
ReadFile(hDestinationFile,&Hint,sizeof(WORD),
&NumberOfBytesRead,NULL);
printf("%#-8x ",Hint);
ReadFile(hDestinationFile,ImportedFunctionName,MAX_PATH,
&NumberOfBytesRead,NULL);
printf("%s/n",ImportedFunctionName);
}
printf("-------------------------------------------------------/n");
}
//Free the memory allocated
over:
GlobalFree(hGlobalMemoryForImportDirectoryTable2);
GlobalFree(hGlobalMemoryForImportDirectoryTable);
GlobalFree(hGlobalAllocatedMemory);
GlobalFree(hGlobalAllocatedMemoryOfDataDirectory);
CloseHandle(hDestinationFile);
}